1. ===========================

  2. Django 2.2.28 release notes

  3. ===========================

  4. 

  5. *April 11, 2022*

  6. 

  7. Django 2.2.28 fixes two security issues with severity "high" in 2.2.27.

  8. 

  9. CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``

  10. ====================================================================================================

  11. 

  12. :meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and

  13. :meth:`~.QuerySet.extra` methods were subject to SQL injection in column

  14. aliases, using a suitably crafted dictionary, with dictionary expansion, as the

  15. ``**kwargs`` passed to these methods.

  16. 

  17. CVE-2022-28347: Potential SQL injection via ``QuerySet.explain(**options)`` on PostgreSQL

  18. =========================================================================================

  19. 

  20. :meth:`.QuerySet.explain` method was subject to SQL injection in option names,

  21. using a suitably crafted dictionary, with dictionary expansion, as the

  22. ``**options`` argument.
About Sign Up Leave Feedback Contact